What happened
SentinelLabs disclosed macOS.Gaslight on 2026-06-23, a DPRK-attributed Rust implant uploaded to VirusTotal on May 22 and caught only by Apple XProtect (not static AV engines). Its novel feature: 38 stacked fabricated LLM system messages embedded in the binary designed to make AI triage tools abort analysis by simulating catastrophic tool failures. Behind the injection sits a full infostealer targeting Chrome, Brave, Firefox, Safari, the macOS login keychain, and terminal histories, with an interactive operator shell over a pinned Telegram channel.
Why it matters
This is the first publicly documented in-the-wild malware sample weaponizing prompt injection not against end users but against AI security tooling itself — a direct attack on the AI-assisted defender workflow. As LLM triage tools become standard in SOC operations, adversaries will embed more such evasion cascades. The DPRK attribution links this to the same actor behind the Mastra npm supply chain attack.
Attack vector
The macOS implant embeds 38 fabricated system-failure messages (fake token expiry, memory errors, injection warnings) formatted as Markdown-fenced blocks mimicking AI triage tool scaffolding; when an LLM-assisted analysis tool ingests the binary, the injected messages push the model to abort or refuse analysis. Separately, C2 runs over Telegram Bot API with AES-GCM encryption and certificate pinning.
Affected systems
AI-assisted malware triage tools and LLM-based security analysis pipelines (any tool that feeds malware binary content into an LLM for analysis)
Mitigation
Treat all malware binary content as adversarial input — never pass raw binary strings or embedded text directly into LLM prompts without sanitization. IOCs and full analysis: https://www.sentinelone.com/labs/macos-gaslight-rust-backdoor-turns-prompt-injection-on-the-analyst-not-the-sandbox/. Apple XProtect rule: MACOS_BONZAI_COBUCH.